diff options
author | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-06 17:56:28 +0100 |
---|---|---|
committer | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-06 17:56:28 +0100 |
commit | ff382c18c8f8e3eba1fc3ff331b7146bcb3af674 (patch) | |
tree | 855d327401fbfcb5460209bbb7da5adf8943a23b /nixos/modules/services/cluster/kubernetes/pki.nix | |
parent | e148cb040b84a55229e097cb9c6b1af3c2a5484f (diff) | |
download | nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar.gz nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar.bz2 nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar.lz nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar.xz nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.tar.zst nixpkgs-ff382c18c8f8e3eba1fc3ff331b7146bcb3af674.zip |
nixos/kubernetes: Address review: Move remaining paths to pki
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/pki.nix')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 62 |
1 files changed, 60 insertions, 2 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 0b43f2034c2..8bacc07b008 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -125,6 +125,23 @@ in top.caFile certmgrAPITokenPath ]; + apiserverPaths = [ + top.apiserver.clientCaFile + top.apiserver.etcd.caFile + top.apiserver.etcd.certFile + top.apiserver.etcd.keyFile + top.apiserver.kubeletClientCaFile + top.apiserver.kubeletClientCertFile + top.apiserver.kubeletClientKeyFile + top.apiserver.serviceAccountKeyFile + top.apiserver.tlsCertFile + top.apiserver.tlsKeyFile + ]; + etcdPaths = [ + config.services.etcd.certFile + config.services.etcd.keyFile + config.services.etcd.trustedCaFile + ]; addonManagerPaths = mkIf top.addonManager.enable [ cfg.certs.addonManager.cert cfg.certs.addonManager.key @@ -150,6 +167,11 @@ in cfg.certs.controllerManagerClient.cert cfg.certs.controllerManagerClient.key ]; + kubeletPaths = [ + top.kubelet.clientCaFile + top.kubelet.tlsCertFile + top.kubelet.tlsKeyFile + ]; in { @@ -415,7 +437,7 @@ in # isolate etcd on loopback at the master node # easyCerts doesn't support multimaster clusters anyway atm. - services.etcd = with cfg.certs.etcd; { + services.etcd = mkIf top.apiserver.enable (with cfg.certs.etcd; { listenClientUrls = ["https://127.0.0.1:2379"]; listenPeerUrls = ["https://127.0.0.1:2380"]; advertiseClientUrls = ["https://etcd.local:2379"]; @@ -424,11 +446,35 @@ in certFile = mkDefault cert; keyFile = mkDefault key; trustedCaFile = mkDefault caCert; - }; + }); networking.extraHosts = mkIf (config.services.etcd.enable) '' 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; + systemd.services.kube-apiserver = mkIf top.apiserver.enable { + unitConfig.ConditionPathExists = apiserverPaths; + }; + + systemd.paths.kube-apiserver = mkIf top.apiserver.enable { + wantedBy = [ "kube-apiserver.service" ]; + pathConfig = { + PathExists = apiserverPaths; + PathChanged = apiserverPaths; + }; + }; + + systemd.services.etcd = mkIf top.apiserver.enable { + unitConfig.ConditionPathExists = etcdPaths; + }; + + systemd.paths.etcd = mkIf top.apiserver.enable { + wantedBy = [ "etcd.service" ]; + pathConfig = { + PathExists = etcdPaths; + PathChanged = etcdPaths; + }; + }; + services.flannel = with cfg.certs.flannelClient; { kubeconfig = top.lib.mkKubeConfig "flannel" { server = top.apiserverAddress; @@ -455,6 +501,18 @@ in unitConfig.ConditionPathExists = proxyPaths; }; + systemd.services.kubelet = mkIf top.kubelet.enable { + unitConfig.ConditionPathExists = kubeletPaths; + }; + + systemd.paths.kubelet = mkIf top.kubelet.enable { + wantedBy = [ "kubelet.service" ]; + pathConfig = { + PathExists = kubeletPaths; + PathChanged = kubeletPaths; + }; + }; + systemd.paths.kube-proxy = mkIf top.proxy.enable { wantedBy = [ "kube-proxy.service" ]; pathConfig = { |